Boilerplate Express API server with user authentication.
Uses MySql, and Jwt, with RSA keys, fingerprinted.
Presented at
Hackernoon
- Password forgot, reset
- Throttling
- XSRF safe.
Create a new database and import enky_jwt.sql in it.
- Clone the repo locally.
- Run
npm install. - Copy .env.example to .env
Edit Mysql section in .env properly.
# Start application locally
$ npm run devThere is a client application at https://github.com/igorbalden/jwenky-cnt.
It's a React Spa built for this Api server.
Clone, and start the client application, and
go to /auth/signUp page to create the first user.
This user will be an admin.
Check RS256-keys.md in current directory.
Without any other change, an all around Api server will run on port 5050.
This is a viable option. More instances of the server may be added,
when the load is elevated.
The best use scenario is different.
There should be two server types made by this server.
Authentication server, and Access server.
An installation should include one (may be more) Auth server,
and many Access servers, as needed, running as microservices.
The Auth server needs only /routes/auth.js, and /routes/password.js, for routing.
These files include all the endpoints Auth server needs to serve.
The middleware that these routes need is included in /services/auth/AuthMiddle.js.
Access servers do not need to include /routes/auth.js,
/routes/password.js, and /services/auth/AuthMiddle.js.
The .env file should not include the JWENKY_PRIVATE_KEY value.
If the private key is read from a key file, this file
should only exist on the Auth server.
The authentication system uses both Jwt, and cookies.
If https is available, the cookies can be secure ones.
It only requires to uncomment three existing lines in /routes/auth.js,
with content 'secure: true', to make cookies use https protocol.
Uses Nodemailer.
In /config/mail.js there are two configured example mailers.
- The 'local' one will work with Mailhog SMTP testing server.
- The 'production' mailer uses a common linux server configuration.
There configurations can be modified, and other configurations can be added as needed.
In /config/auth.js
Default configuration:
Access token valid for 10 minutes, refresh token valid for 20 hours.